[lxc-devel] [PATCH 7/8] cgroup: don't set devices cgroup if not in init_user_ns

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jul 22 15:10:07 UTC 2013 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Fri, Jul 19, 2013 at 02:26:54PM +0000, Serge Hallyn wrote:
> > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> > 
> 
> Hmm, I may be missing context with that diff, but where exactly is the
> code making this check userns-specific?

Uh.

Maybe in the hunk I dropped?

Thanks, will fix!

> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/lxc/cgroup.c | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> > 
> > diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
> > index c707519..8a875b8 100644
> > --- a/src/lxc/cgroup.c
> > +++ b/src/lxc/cgroup.c
> > @@ -292,6 +292,14 @@ int lxc_cgroup_set_bypath(const char *cgrelpath, const char *filename, const cha
> >  	char *cgabspath;
> >  	char path[MAXPATHLEN];
> >  
> > +	/*
> > +	 * exception: if in a user namespace, don't try to set devices cgroup.
> > +	 * (a) a task in non-init userns can't use most devices anyway, and
> > +	 * (b) a task in non-init userns cannot write to devices.{allow,deny}
> > +	 */
> > +	if (strncmp(filename, "devices.", 8) == 0)
> > +		return 0;
> > +
> >  	cgabspath = cgroup_path_get(filename, cgrelpath);
> >  	if (!cgabspath)
> >  		return -1;
> > -- 
> > 1.8.3.2
> > 
> > 
> > ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Lxc-devel mailing list
> > Lxc-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

More information about the lxc-devel mailing list